Don’t miss this Awesome Microsoft Windows Server Summit 2024 virtual event to get the latest and Greatest information powered by the Engineering team!
When: March 26-28, 2024. Mark your Calendar 😉
Topic wise: it will be wide ranging covering all the new goodness of Windows Server 2025, on-prem and Hybrid scenarios, Azure Arc, Identity, Virtualization, SMB updates and more!
Here you can find more information: Windows Server Summit 2024
Make it more secure by design with Windows 11 and do security assessments / scans for vulnerabilities on your pc’s in your company.
I hope this free E-Book will give you more security insights.
With MicrosoftAzure Arc Machine agentyou can connect your Windows Server 2022 with Microsoft Azure Arc Services. Microsoft Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. in October 2023 Microsoft released via Windows Update Center the setup of Azure Arc Machine agent. In the following steps I will install Azure Arc via the Windows Server Manager:
Click on Disabled
Click on Next
Azure Connected Machine Agent is installing.
Click on Configure
Click on Next
Sign into your Azure Subscription
Click on Next
Select your Azure Active Directory Tenant.
Select Subscription
Select the Resource Group
Select the Azure Region
Select Network Connectivity.
Click on Next
Your done, your Windows Server is now connected with Azure Arc
Click on Finish
Here is our Azure Arc enabled Windows Server 2022 in the Microsoft Azure Portal.
From here you have all the Azure Arc Services available for your on-prem Server.
When you connect your machine to Azure Arc-enabled servers, you can perform many operational functions, just as you would with native Azure virtual machines. Below are some of the key supported actions for connected machines.
Protect non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, for vulnerability management, and to proactively monitor for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.
Use Microsoft Sentinel to collect security-related events and correlate them with other data sources.
Configure:
Use Azure Automation for frequent and time-consuming management tasks using PowerShell and Python runbooks. Assess configuration changes for installed software, Microsoft services, Windows registry and files, and Linux daemons using Change Tracking and Inventory
Use Update Management to manage operating system updates for your Windows and Linux servers. Automate onboarding and configuration of a set of Azure services when you use Azure Automanage (preview).
Perform post-deployment configuration and automation tasks using supported Arc-enabled servers VM extensions for your non-Azure Windows or Linux machine.
Monitor:
Monitor operating system performance and discover application components to monitor processes and dependencies with other resources using VM insights.
Collect other log data, such as performance data and events, from the operating system or workloads running on the machine with the Log Analytics agent. This data is stored in a Log Analytics workspace.
This is handy to install a couple of Servers manually but when you have to do more, you can generate a script for multiple
Servers installation:
From the Azure Portal
Click on Generate Script
Here you can make a Basic script or for Configuration Manager,
or a script for a Group Policy or via Ansible.
Important:
Before you begin with making your Windows Server Azure Hybrid with the Arc Connected Machine Agent, you have to think about Security by Design. with Identity Access Management (IAM) you can manage who will get access to your Arc enabled Servers.
Wo may use Windows Admin Center for example in the Azure portal?
Access Control on Azure Arc enabled Server.
With Microsoft Azure policy you can set your governance and policies for the organization. There are a lot of pre-defined policies, but you can also make your own Azure policies for your Arc enabled Servers.
Conclusion
Make your datacenter(s) securely Hybrid with Microsoft Azure Arc Services is easy to do and gives you a lot of Azure Hybrid benefits.
Start with your test environment and make your own Azure Arc enabled solutions and when the experience is good you can do it in production 😉
Here you find more about Azure Arc enabled Services:
Microsoft is continuously improving and fixing issues on the Azure Connected Machine agent for Azure Arc Enabled Servers.
Before you make your Servers in your datacenter Hybrid with Azure Arc Connected Machine Agent, you can have a look at Security first when you want to be in Controle of the Azure Arc extensions. For example, who can install Azure Arc Extensions? and which Extensions should be installed and which not. Or in the latest Azure Connected Machine Agent Version 1.35 of October 2023 No Extensions allowed to install on this Server.
With Azure Arc Connected Machine Agent version 1.35 you can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to “Allow/None”. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn’t need to allow any extensions to be installed.
Users and applications granted contributor or administrator role access to the resource can make changes to the resource, including deploying or deleting extensions on the machine. Extensions can include arbitrary scripts that run in a privileged context, so consider any contributor on the Azure resource to be an indirect administrator of the server.
The Azure Connected Machine Onboarding role is available for at-scale onboarding and is only able to read or create new Azure Arc-enabled servers in Azure. It cannot be used to delete servers already registered or manage extensions. As a best practice, we recommend only assigning this role to the Microsoft Entra service principal used to onboard machines at scale.
Users as a member of the Azure Connected Machine Resource Administrator role can read, modify, re-onboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription.
Identity and Access Management (IAM) in Azure to Configure Roles.
Azure Arc Portal Agent version.
With AZCMAGENT CLI command, you can see more information from the Arc enabled Server and is handy for
the Administrator to know:
azcmagent check
azcmagent Config get config.mode
azcmagent show
azcmagent logs
in ProgramData you will find the Azure Arc Connected Machine Agent Logs
Guest config logs of Azure Arc extensions
The Azure Connected Machine agent command line tool, azcmagent, helps you configure, manage, and troubleshoot a server’s connection with Azure Arc. I just showed you some azcmagent commands I use for troubleshooting or to just get the right information.
Here you find the complete Azure Connected Machine Agent Command line reference
Hope this information is useful for you and keep your azcmagent up-to-date for fixes and new innovated features!
New in Windows Server Insider Preview Build 25967 is Microsoft Azure Arc in your taskbar system tray Icon.
Currently, Azure Arc allows you to manage the following resource types hosted outside of Azure:
Servers: Manage Windows and Linux physical servers and virtual machines hosted outside of Azure.
Kubernetes clusters: Attach and configure Kubernetes clusters running anywhere, with multiple supported distributions.
Azure data services: Run Azure data services on-premises, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. SQL Managed Instance and PostgreSQL (preview) services are currently available.
SQL Server: Extend Azure services to SQL Server instances hosted outside of Azure.
Virtual machines (preview): Provision, resize, delete and manage virtual machines based on VMware vSphere or Azure Stack HCI and enable VM self-service through role-based access.
Here you find the Azure Arc system tray icon.
Here you can see the Microsoft Azure Arc Status
and
You can connect to the Azure Arc enabled virtual machine in the Cloud.
Azure Arc enabled virtual machine in the Cloud.
Windows Admin Center via Azure Arc enabled Server.
Microsoft Azure Artificial Intelligence (AI) is going fast in the Cloud, It can support you with the tools you use like Azure CLI for example to manage Azure resources. But AI can support you in Security too, like Microsoft Security Copilot
Microsoft security CoPilot Create a visual to explain.
But I was busy with Windows Terminal in Windows 11 Insider Preview Build and Azure Cloud Shell.
First getting the latest Build of Azure CLI in my Windows Terminal :
az upgrade
Installing Azure CLI 2.48.1
Click on Install
Click on Finish
For the Changes you need to Restart your machine.
After the reboot we have the Newest Azure CLI Version 2.48.1
Login Azure with Windows Terminal.
I’m connected with Azure via Windows Terminal Azure Cloud Shell.
Here I’m checking if I have a Connection with Azure AI-examples :
az ai-examples check-connection
Connection was successful.
The Azure AI knowledge base made me find examples 🙂
When a command is incomplete or wrong, the AI knowledge base is doing a suggestion and gives a link to Microsoft docs.
Conclusion
This is where I Like Microsoft Azure Artificial Intelligence (AI) to make my IT Management easier and faster to do the job.
It’s supporting me in my work and not doing things I don’t like. It’s going fast with AI and It’s important to keep it in Control for doing IT Management tasks.
Microsoft Azure Arc Services is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems. Do more with less by leveraging your existing investments to modernize with cloud-native solutions.
Azure Arc Control Plane
So with this Awesome Microsoft Feature Azure Arc, I have connected my Windows Insiders Domain mvplab.local servers like a Windows Server Insider Domain Controller, Windows Server Insider Cluster with a SQL Instance on it and Windows 11 Insider Preview Build in the Beta Channel domain joined. Here you can find how to install the Azure Arc Agent on your Servers
Microsoft Azure Arc comes with great features like Azure Security with Cloud Defender to keep your Azure Arc enabled Servers as secure as possible. Azure Policies is very handy to keep your IT governance on every Server the same. With inventory and Change tracking you are in control to get the right information of your machines. Monitoring your Azure Arc enabled servers with Insights and Log analytics is very powerful. But for now I’m going to use Updates feature of Azure Arc enabled Windows 11 Insider Preview Build machine.
Important : I’m working with Windows Server Insider preview Build and Windows 11 Insider Preview Build.
They are for testing purpose only and not for production environments!
Of course you can use Windows Server 2019 / 2022 or Windows 10 / 11 Build with Azure Arc 🙂
Here we have Windows 11 Insider Preview Build with new Updates in the Beta Channel. Click on One time Update
I’m going to update this Azure Arc enabled Windows 11 Insider preview Build once manually but you can schedule updates also and use Update Management Center.
Select the Machine and Click on Next
Here you can select the updates or exclude updates. Then Click on Next
Here you can set the Reboot option and
Maintenance Window in minutes. Click on Next
Review and Click on Install
Install Updates Request is submitted.
At Updates of your Azure Arc enabled Machine you can open Update Management Center
Here you can see the Complete Overview of the Updates on your Machines.
Left under you see the 3 updates for the Windows 11 Insider Beta Build.
When you Click on the left panel on Machines you get this status overview.
When you click on History you will see the status in progress.
You have seen how easy it is to work with Microsoft Azure Arc services to manage your Virtual Machine with Updates, when you have lot of Virtual Machines / Servers to manage you can configure them once and do this automatically via schedule tasks for every month. Now I can manage my on-prem Servers / machines in the same way I do the Microsoft Azure Virtual Machines.
So this was only Updates, but you can do the same for Security and keep your machines secure by default with the same Azure policies on your machines for IT Governance. Hope you see the benefits of Azure Hybrid and please start your own journey.
When you have a test environment, please consider the Microsoft Windows Insider program for Windows 11 Insider Builds and for Windows Server Insider Build to work with the newest features and getting experience before GA becomes available.
Cloud and Datacenter Management Blog 